Programmer slip-up produces critical bug, Microsoft admits

Microsoft acknowledged Thursday that one of the critical network vulnerabilities it patched earlier in the week was due to a programming error on its part.

The flaw, one of 34 patched Tuesday in a massive security update , was in the code for SMB 2 (Server Message Block 2), a Microsoft-made network file- and print-sharing protocol that ships with Windows Vista, Windows 7 and Windows Server 2008.

"Look at the two array references to ValidateRoutines[] near the end," said Michael Howard, principal security program manager in Microsoft's security engineering and communications group, referring to a code snippet he showed in a post to the Security Development Lifecycle (SDL) blog. "The array index to both is the wrong variable: pHeader->Command should be pWI->Command."

Howard, who is probably best known for co-authoring Writing Secure Code , went on to say that the error was not only in new code, but a "bug of concern."

The incorrect variable -- "pHeader" instead of "pWI" -- produced a vulnerability that Microsoft rated critical, its highest threat ranking. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," read the MS09-050 security bulletin released Tuesday. Attackers could trigger the bug by sending a rigged SMB packet to an unpatched PC.

As he did in July when he admitted an extra "&" character in a Microsoft code library created a widespread vulnerability in most company software -- and software crafted by third-party developers such as Sun, Cisco and Adobe -- Howard argued that the SMB 2 mistake was virtually impossible to catch without a line-by-line review.

"There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing," said Howard. "The only other method that could find this kind of bug is very slow and painstaking code review. This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Humans are fallible, after all."

Fuzzing -- subjecting software to a wide range of data input to see if, and where, it breaks -- did uncover the bug "very late in the Windows 7 development process," Howard said. Although the preview versions of Windows 7 that Microsoft handed out to the public -- both the beta from January 2009 and the release candidate posted in May -- included the bug, Microsoft caught it in time to patch the RTM, or release to manufacturing, final code that will officially ship next Thursday.

The SMB 2 bug in question was not the one that Microsoft publicized last month in a security advisory. That vulnerability, which received attention because exploit code went public , also affected Windows 7 prior to the RTM build.

Howard also said that he thought Microsoft's SDL process has handled the "low-hanging bugs" in the company's code, leaving what he called "one-off bugs" that are difficult to detect using automated tools.

"The majority of the bugs I see in Windows are one-off bugs that can't be found easily through static analysis or education, which leaves only manual code review, and for some bug classes, fuzz testing," he said. "But fuzz testing is hardly perfect."

Most analysts this week urged Windows users to put the MS09-050 patches on a high-priority list, if only because exploit code for one of the three SMB 2 vulnerabilities was public knowledge. Microsoft echoed that in its monthly deployment recommendations .

This month's security updates, including MS09-050, can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.

Contact Us

With over 25 years of brand awareness and credibility, Good Gear Guide (formerly PC World Australia), consistently delivers editorial excellence through award-winning content and trusted product reviews.